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Motivation 


Distributed  aigorithms  have  always  been  important 
•  File  Systems,  Resource  Allocation,  Internet,  ... 


Increasingly  becoming  safety-critical 
•  Robotic,  transportation,  energy,  medical 


Prove  correctness  of  distributed  algorithm 
implementations 

•  Pseudo-code  is  verified  manually  (semantic  gap) 

•  Implementations  are  heavily  tested  (low  coverage) 
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Approach  :  Verification  +  Code  Generation 


Program  in  Domain  Specific  Language 

I 

I - " - \ 


Distributed 

Appiication 


Safety 

Specification 


Debug  Appiication, 
Refine  Specification 


The  Verifying  Compiier: 
A  Grand  Chalienge  for 
computing  research 


Tony  Hoare 


Run  on  Physical 
Device 


Run  within 
simulator 
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Verification 


Model  Checking 


Program  in  Domain  Specific  Language 


Automatic  verification  technique  for  finite 
state  concurrent  systems. 


•  Developed  independently  by  Clarke  and 
Emerson  and  by  Queille  and  Sifakis  in 
early  1980’s. 

•  ACM  Turing  Award  2007 

Specifications  are  written  in  propositional 
temporal  logic.  (Pnueli  77) 

•  Computation  Tree  Logic  (CTL),  Linear 
Temporal  Logic  (LTL),  ... 

Verification  procedure  is  an  intelligent 
exhaustive  search  of  the  state  space  of 
the  design 
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Code  Generation 


Program  in  Domain  Specific  Language 


MADARA  Middieware 


A  database  of  facts:  DB  =  Var 
Value 

Node  i  has  a  local  copy:  DBi 

•  update  DBi  arbitrarily 

•  publish  new  variable  mappings 

•  Immediate  or  delayed 

•  Multiple  variable  mappings 
transmitted  atomically 

Implicit  “receive”  thread  on  each  node 

•  Receives  and  processes  variable 
updates  from  other  nodes 

•  Updates  ordered  via  Lamport 
clocks 

Portable  to  different  OSes  (Windows, 
Linux,  Android  etc.)  and  networking 
technology  (TCP/IP,  UDP,  DOS  etc.) 


Software  Engineering  Institute  Carnegie  Mellon  University 


Model-Driven  Verifying  Compilation 
Sagar  Chaki,  October  1,  2014 

©2014  Carnegie  Mellon  University 


Synchronous  Distributed  Application  (SDA) 

Node  0  =  foO  Shared  Variables:^  =  GK[0],  GV[1]  Node  1  =  /i() 
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SDA  Verification 


Program  with  n  nodes  :  P(n) 

•  Each  node  has  a  distinct  id  e  [l,n] 

•  Array  GV  has  n  elements,  GV[i]  writable  only  by  node  with  id  i 

•  Each  element  of  GV  is  drawn  from  a  finite  domain 

In  each  round,  node  with  id  id  executes  function  p  whose  body  is  a  statement 
stmt  :=  skip  I  Ival  =  exp  (assignment) 


I  IT E  (exp,  stmt,  stmt) 
\ALL(IV,  stmt) 

I  {stmf^) 


(if,  then,  else) 

(iterate  over  nodes  :  use  to  check  existence) 
(iteration  of  statements) 


Ival  :=  G7[id][w] 


(lvalues) 


exp  :=  T  I  1  I  Ival  \  \id\  IV  \  o  (exp^)  (expressions) 


Initial  states  and  “ERROR”  states  of  the  program  are  define 

•  State  =  value  assigned  to  all  variables 


Verification  =  decide  if  there  is  an  execution  of  the  program  that  starts  in  an  initial 
state  and  ends  in  an  ERROR  state 


Semantic  Sequentialization:  SEQSEM 

Node  0  =  foQ  Shared  Variables:^  =  GV[0].  GV[1\  Node  1  =  /i() 


Double  Buffering  Sequentialization:  SEQDBL 

Node  0  =  foO  Shared  Variables:^  =  GK[0],  GV[1]  Node  1  =  /i() 


Use  2  copies  of  GV 
Use  each  copy  as  input 
in  alternate  rounds 


Round  1 


Round  2 


Gri[o]  = 

GVi[l]  = 

GVi  [n  -  1]  = 

/o(^) 

fi(GVo) 

fn-l(GVo) 

Gro[o]  = 

Gro[i]  = 

GFo[n-l]  = 

fo(Wd 

fi(GVi) 

fn-iiGV;) 
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Example:  2D  Synchronous  Collision  Avoidance 
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Example:  2D  Synchronous  Collision  Avoidance 


Example:  2D  Synchronous  Collision  Avoidance 


(0,3) 


(3,3) 


Reservation 
Contention 
Resolved  based 
on  Node  ID.  No 
collision 
possible  if  no 
over-booking. 


(0,0) 


(3,0) 
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2D  Collision  Avoidance  Protocoi 


Reached  the  next 
coordinate 


Moving  to  the 
next  coordinate 


If  no  other  node  is 
locking  the  next 
coordinate 


If  no  other  node 
“with  higher  id”  is 
trying  to  lock  the 
next  coordinate 
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Other  Examples 

3D  Collision  Avoidance 
Mutual  Exclusion 


Results:  3D  Collision  Avoidance 
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Results:  2D  Collision  Avoidance 
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Results:  Mutual  Exclusion 
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Synchronizer  Protocol:  2BSYNC 

Node  0  =  foQ  Shared  Variables:^  =  GV[0].  GV[1\  Node  1  =  /i() 


Use  barrier 
variables:  b^,  b^ 
Initialized  to  0 


Atomic  Send.  Either 
both  GFo[0]  and  bo  are 
received,  or  none  is 
received.  Can  be 
implemented  on  existing 
network  stack,  e.g, 
TPC/IP 


GVo.  bo 


GVi,bi 


o 

•  • 

II 

o 

+ 

b^  • —  b^  +  1 

bo'. 

^i! 

Barvo 

Barr^ 

t 

\ 

f 

GVi[l]  =  fiiGVi) 


bQ  —  bQ  1 

b'l  • —  b'l  +  1 

XGVoiOlbo)'. 

(cri[l],6i)! 

Barvo 

Barri 

Barvo  =  whileib^  <  bo)  skip; 
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Proof  of  correctness 
in  paper 


Tool  Overview 


Project  webpage  (http://mcda.aooalecode.com) 

•  Tutorial  (https://code.aQoale.cQm/p/mcda/wiki/Tutorial) 

Verification 

•  dasic  —nodes  3  — seq  —rounds  3  — seq-dbl  —out  tutorial-02.c  tutorial- 
02.dasl 

•  cbmc  tutorial-02.c  (takes  about  10s  to  verify) 

Code  generation  &  simulation 

•  dasic  —nodes  3  — madara  — vrep  —out  tutorial-02.cpp  tutorial-02.dasl 

•  g++ ... 

•  mcda-vrep.sh  3  outdir  ./tutorial-02  ... 

^DEMO  - 
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Future  Work 


Improving  scalability  and  verifying  with  unbounded  number  of  rounds 


Verifying  for  unbounded  number  of  nodes  (parameterized  verification) 

•  Paper  at  SPIN’2014  Symposium 

Asynchronous  and  partially  synchronous  network  semantics 
Scalable  model  checking 

•  Abstraction,  compositionaiity,  symmetry  reduction,  partiai  order  reduction 

Fault-tolerance,  uncertainty, ... 

•  Combine  V&V  of  safety-criticai  and  mission-criticai  properties 
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Synchronous  Collision  Avoidance  Code 


NODE  uav  (id) 

{ 

GLOBAL  bool  lock  [X][y][#N]; 
LOCAL  int  state, x,y,xp,yp,xf,yf; 
void  NEXT_Xy  ()  {  ...  } 
void  ROUND  ()  { 
if(state  ==  NEXT)  {  ... 
state  =  REQUEST; 

}  else  if  (state  ==  REQUEST)  {  ... 

state  =  WAITING; 

}  else  if  (state  ==  WAITING)  {  ... 

state  =  MOVE; 

}  else  if  (state  ==  MOVE)  {  ... 

state  =  NEXT; 

}}} 
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INIT 

{ 

FORALL_NODE(id) 
state.id  =  NEXT; 

//assign  x.id  and  y.id  non-deterministically 
//assume  they  are  within  the  correct  range 
//assign  lock[x.id][y.id][id]  appropriately 

//nodes  don't  collide  initially 
FORALL_DISTINCT_NODE_PAIR  (idl,id2) 
ASSUME(x.idl  !=  x.id2  1 1  y.idl  !=  y.id2); 

} 

SAFETy { 

FORALL_DISTINCT_NODE_PAIR  (idl,id2) 
ASSERT(x.idl  !=  x.id2  1 1  y.idl  !=  y.id2); 

} 


MOC_syNC; 

CONST  X  =  4;  CONST  y  =  4; 
CONST  NEXT  =  0; 

CONST  REQUEST  =  1; 
CONST  WAITING  =  2; 
CONST  MOVE  =  3; 

EXTERN  int 

MOVE_TO  (unsigned  char  x, 
unsigned  char  y); 

NODE  uav  (id)  {  ...  } 

void  INIT  0  {  ...  } 

void  SAFETY  {  ...  } 


Synchronous  Collision  Avoidance  Code 


if(state  ==  NEXT)  { 

//compute  next  point  on  route 
if  (x  ==  xf  &&.  y  ==  yf )  return; 

NEXT_Xy(); 
state  =  REQUEST; 

}  else  if  (state  ==  REQUEST)  { 

//request  the  lock  but  only  if  it  is  free 
if(EXISTS_OTHER(iclp,lock[xp][yp][iclp]  !=  0))  return; 


else  if  (state  ==  MOVE)  { 

//now  we  have  the  lock  on  (xp,yp) 
if(MOVE_TO())  return; 
lock[x  ][y][icl]  =  0; 

X  =  xp;  y  =  yp; 
state  =  NEXT; 


lock[xp][yp][id]  =  1; 
state  =  WAITING; 

}  else  if(state  ==  WAITING)  { 

//grab  the  lock  if  we  are  the  highest 
//id  node  to  request  or  hold  the  lock 
if(EXISTS_HIGHER(idp,  lock[xp][yp][idp]  !=  0))  return; 
state  =  MOVE; 


